The official Python software package repository PyPI is under attack from threat actors that have begun flooding it with spam packages according to a new report from BleepingComputer.

The malicious code was intended for use with Python 2.x, and it generated errors when used in Python 3.x applications. This is how users discovered its presence while debugging their apps.

A recently spotted supply chain attack abused an old but legitimate Python package to deliver a malicious payload. Read more on how the attacker managed to do it and how to protect yourself from it.

This package, too, mimicked the name of a popular Python library, named "colorama." According to the PyPI Stats service, 54 users had downloaded the package a month before it was taken down.

The "pymafka" package has a name that's very similar to "PyKafka," a popular Apache Kafka client for Python that has been downloaded more than 4.2 million times so far.

Placing malicious code in 'setup.py,' however, will allow malware to be installed and unnoticed even if the package, or Python itself, is not used at all.

The malicious package was available on PyPI, a package index widely used by Python developers. After being notified of it, PyPI's maintainers have removed the malicious package.

Using Python’s index operator [] on a string with a -3 will grab the 3rd character from the end of the string, in this case '<built-in function oct>'[-3] will evaluate to 'c'.